Files and directories - local
Splunk Enterprise can monitor files and directories for events. If your system generates it, Splunk Enterprise can index, search, report and alert on it.
To get data from files and directories into Splunk Enterprise:
A. Go to the Add New page
You add an input from the Add New page in Splunk Web. You can get there by two routes:
- Splunk Home
- Splunk Settings
Via Splunk Settings:
1. Click Settings in the upper right-hand corner of Splunk Web.
2. In the Data section of the Settings pop-up, click Data Inputs.
3. Click Files & Directories.
4. Click the New button to add an input.
Via Splunk Home:
1. Click the Add Data link in Splunk Home.
2. Click Upload to upload a file, Monitor to monitor a file, or Forward to forward a file.
Note: Forwarding a file requires additional setup. See "Forward data" in this manual.
B. Select the input source
1. To add a file or directory input, click Files & Directories.
2. In the File or Directory field, specify the full path to the file or directory.
To monitor a shared network drive, enter the following:
\\<myhost>\<mypath> on Windows). Make sure Splunk Enterprise has read access to the mounted drive, as well as to the files you wish to monitor.
3. Choose how you want Splunk Enterprise to monitor the file:
- Continuously Monitor. Sets up an ongoing input. Splunk Enterprise monitors the file continuously for new data. Read the next section for advanced options specific to this choice.
- Index Once. Copies a file on the server into Splunk Enterprise.
4. Click the green Next button.
- If you specified a directory in the "File or Directory" field, Splunk Enterprise refreshes the screen to show fields for "whitelist" and "blacklist". These fields let you specify regular expressions that Splunk Enterprise then uses to match files for inclusion (in the case of a whitelist) or exclusion (in the case of a blacklist). See "Whitelist or blacklist specific incoming data."
- Otherwise, Splunk Enterprise lets you preview the data.
C. Preview your data and set its source type
When you add a new file input, Splunk Enterprise lets you set the source type of your data and preview how it will look once it has been indexed. This lets you ensure that the data has been formatted properly and make any necessary adjustments.
- See "The "Set Sourcetype" Page" to learn about the "Set Sourcetype" page.
- See "View and set source types for event data" to learn how to use the page.
If you choose to skip data preview, Splunk Web takes you to the Input Settings page.
Note: Splunk Enterprise cannot show a preview of directories or archived files.
D. Specify input settings
The Input Settings page lets you specify application context, default host value, and index. All of these parameters are optional.
1. Select the appropriate Application context for this input.
2. Set the Host name value. You have several choices for this setting. Learn more about setting the host value in "About hosts".
- Note: Host only sets the host field in the resulting events. It does not direct Splunk Enterprise to look on a specific host on your network.
3. Set the Index that Splunk Enterprise should send data to for this input. Leave the value as "default", unless you have defined multiple indexes and want to use one of those instead. In addition to indexes for user data, Splunk Enterprise has a number of utility indexes, which also appear in this dropdown box.
4. Click the green Review button.
E. Review your choices
After specifying all your input settings, you can review your selections. Splunk Enterprise lists all options you selected, including but not limited to the type of monitor, the source, the source type, the application context, and the index.
Review the settings. If they do not match what you want, click the white < button in the banner to go back to the previous step in the wizard. Otherwise, click the green Submit button.
Splunk Enterprise then loads the "Success" page and begins indexing the specified file or directory.
For more information on getting data from files and directories, see "Monitor files and directories" in this manual.
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0